[PATCH v11 0/9] bpf: Add kfuncs for PKCS#7 signature verification
Roberto Sassu
roberto.sassu at huawei.com
Tue Aug 16 07:12:32 UTC 2022
> From: Daniel Borkmann [mailto:daniel at iogearbox.net]
> Sent: Monday, August 15, 2022 6:10 PM
> On 8/12/22 12:18 PM, Roberto Sassu wrote:
> > One of the desirable features in security is the ability to restrict import
> > of data to a given system based on data authenticity. If data import can be
> > restricted, it would be possible to enforce a system-wide policy based on
> > the signing keys the system owner trusts.
> >
> [...]
> > Changelog
> >
> > v10:
> > - Introduce key_lookup_flags_check() and system_keyring_id_check() inline
> > functions to check parameters (suggested by KP)
> > - Fix descriptions and comment of key-related kfuncs (suggested by KP)
> > - Register kfunc set only once (suggested by Alexei)
> > - Move needed kernel options to the architecture-independent configuration
> > for testing
>
> Looks like from BPF CI side, the selftest throws a WARN in test_progs /
> test_progs-no_alu32
> and subsequently fails with error, ptal:
>
> https://github.com/kernel-
> patches/bpf/runs/7804422038?check_suite_focus=true
Hi Daniel
it is due to the missing SHA256 kernel module (not copied to
the virtual machine).
I made a small patch in libbpf/ci to change kernel options =m
into =y. With that patch, my instance of vmtest gives success
(except for z15, which requires adding openssl and keyctl
to the virtual machine image).
Roberto
> [...]
> #235 verif_scale_xdp_loop:OK
> #236 verif_stats:OK
> #237 verif_twfw:OK
> [ 760.448652] ------------[ cut here ]------------
> [ 760.449506] WARNING: CPU: 3 PID: 930 at crypto/rsa-pkcs1pad.c:544
> pkcs1pad_verify+0x184/0x190
> [ 760.450806] Modules linked in: bpf_testmod(OE) [last unloaded:
> bpf_testmod]
> [ 760.452340] CPU: 3 PID: 930 Comm: keyctl Tainted: G OE 5.19.0-
> g9f0260338e31-dirty #1
> [ 760.453626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> [ 760.454801] RIP: 0010:pkcs1pad_verify+0x184/0x190
> [ 760.455380] Code: 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 48 89 df 89 c6 5b 41
> 5c 41 5d 41 5e 41 5f 5d e9 a5 04 00 00 0f 0b b8 ea ff ff ff eb d4 <0f> 0b b8 ea ff
> ff ff eb cb 0f 0b 90 0f 1f 44 00 00 53 48 89 fb c7
> [ 760.456866] RSP: 0018:ffffad55478dbb58 EFLAGS: 00000246
> [ 760.457684] RAX: ffff9b3c43c42458 RBX: ffff9b3c48975b00 RCX:
> 0000000000000000
> [ 760.458672] RDX: ffffffffa7277438 RSI: ffffffffa5275510 RDI:
> 0000000000000000
> [ 760.459670] RBP: ffffad55478dbcf8 R08: 0000000000000002 R09:
> 0000000000000000
> [ 760.460688] R10: ffffad55478dbc20 R11: ffffffffa44dde10 R12:
> ffff9b3c43de2e80
> [ 760.461695] R13: ffff9b3c58459ea0 R14: ffff9b3c44d59600 R15:
> ffffad55478dbc20
> [ 760.462270] FS: 00007ff1ee0eb740(0000) GS:ffff9b3cf9cc0000(0000)
> knlGS:0000000000000000
> [ 760.462722] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 760.463026] CR2: 000055b9a4c17588 CR3: 0000000107bb2000 CR4:
> 00000000000006e0
> [ 760.464039] Call Trace:
> [ 760.464465] <TASK>
> [ 760.464749] public_key_verify_signature+0x4a2/0x570
> [ 760.465623] x509_check_for_self_signed+0x4e/0xd0
> [ 760.465937] x509_cert_parse+0x193/0x220
> [ 760.466656] x509_key_preparse+0x20/0x1f0
> [ 760.466975] asymmetric_key_preparse+0x43/0x80
> [ 760.467552] key_create_or_update+0x24e/0x510
> [ 760.468366] __x64_sys_add_key+0x19b/0x220
> [ 760.468704] ? syscall_enter_from_user_mode+0x24/0x1f0
> [ 760.469056] do_syscall_64+0x43/0x90
> [ 760.469657] entry_SYSCALL_64_after_hwframe+0x63/0xcd
> [ 760.470413] RIP: 0033:0x7ff1edf0ba9d
> [ 760.470832] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8
> 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 8b 0d cb e2 0e 00 f7 d8 64 89 01 48
> [ 760.472742] RSP: 002b:00007ffe635e7a18 EFLAGS: 00000246 ORIG_RAX:
> 00000000000000f8
> [ 760.473355] RAX: ffffffffffffffda RBX: 00007ffe635e7be0 RCX:
> 00007ff1edf0ba9d
> [ 760.474523] RDX: 000055982fed80c0 RSI: 00007ffe635e7f17 RDI:
> 00007ffe635e7f0c
> [ 760.475500] RBP: 00007ffe635e7a38 R08: 00000000fffffffd R09:
> 0000000000000000
> [ 760.475913] R10: 0000000000000355 R11: 0000000000000246 R12:
> 0000000000000000
> [ 760.476594] R13: 00007ffe635e7bd8 R14: 000055982fed48ae R15:
> 000055982fed76e8
> [ 760.477579] </TASK>
> [ 760.477769] irq event stamp: 4727
> [ 760.477963] hardirqs last enabled at (4735): [<ffffffffa4101df5>]
> __up_console_sem+0x75/0xa0
> [ 760.479036] hardirqs last disabled at (4744): [<ffffffffa4a31cca>]
> sysvec_apic_timer_interrupt+0xa/0xb0
> [ 760.480403] softirqs last enabled at (4762): [<ffffffffa4085172>]
> __irq_exit_rcu+0xb2/0x140
> [ 760.480869] softirqs last disabled at (4755): [<ffffffffa4085172>]
> __irq_exit_rcu+0xb2/0x140
> [ 760.481706] ---[ end trace 0000000000000000 ]---
> Generating a RSA private key
> .+++++
> ..................................................+++++
> writing new private key to '/tmp/verify_sigXdOL5V/signing_key.pem'
> -----
> add_key: Invalid argument
> test_verify_pkcs7_sig:PASS:mkdtemp 0 nsec
> test_verify_pkcs7_sig:FAIL:_run_setup_process unexpected error: 1 (errno
> 126)
> #238 verify_pkcs7_sig:FAIL
> #239 vmlinux:OK
> #240 xdp:OK
> #241/1 xdp_adjust_frags/xdp_adjust_frags:OK
> #241 xdp_adjust_frags:OK
> #242/1 xdp_adjust_tail/xdp_adjust_tail_shrink:OK
> #242/2 xdp_adjust_tail/xdp_adjust_tail_grow:OK
> [...]
More information about the Linux-security-module-archive
mailing list